<html>
<head><meta charset="utf-8"><title>Priority order for crate registries · t-cargo · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/index.html">t-cargo</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/Priority.20order.20for.20crate.20registries.html">Priority order for crate registries</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="225808709"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/Priority%20order%20for%20crate%20registries/near/225808709" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dirkjan Ochtman <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/Priority.20order.20for.20crate.20registries.html#225808709">(Feb 10 2021 at 08:59)</a>:</h4>
<p>Is Cargo sensitive to this kind of thing as well? <a href="https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/">https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/</a></p>



<a name="225808893"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/Priority%20order%20for%20crate%20registries/near/225808893" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dirkjan Ochtman <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/Priority.20order.20for.20crate.20registries.html#225808893">(Feb 10 2021 at 09:00)</a>:</h4>
<p>More info here: <a href="https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610">https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610</a></p>



<a name="225809094"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/Priority%20order%20for%20crate%20registries/near/225809094" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/Priority.20order.20for.20crate.20registries.html#225809094">(Feb 10 2021 at 09:02)</a>:</h4>
<p><a href="http://crates.io">crates.io</a> won't allow uploading if regular or build dependencies are not already on <a href="http://crates.io">crates.io</a>. dev dependencies can be missing I think, but those won't be built for dependencies except in case of things like crater.</p>



<a name="225809188"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/Priority%20order%20for%20crate%20registries/near/225809188" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/Priority.20order.20for.20crate.20registries.html#225809188">(Feb 10 2021 at 09:03)</a>:</h4>
<p>In any case even if <a href="http://crates.io">crates.io</a> were to allow uploading it, it would simply be impossible to build it. Cargo requires all dependencies to be found.</p>



<a name="225809936"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/Priority%20order%20for%20crate%20registries/near/225809936" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dirkjan Ochtman <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/Priority.20order.20for.20crate.20registries.html#225809936">(Feb 10 2021 at 09:11)</a>:</h4>
<p>Ah, it was also discussed on reddit: <a href="https://www.reddit.com/r/rust/comments/lgl7bf/is_cargo_vulnerable_to_this_supplychain_attack/">https://www.reddit.com/r/rust/comments/lgl7bf/is_cargo_vulnerable_to_this_supplychain_attack/</a></p>



<a name="225812083"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/Priority%20order%20for%20crate%20registries/near/225812083" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Chris Denton <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/Priority.20order.20for.20crate.20registries.html#225812083">(Feb 10 2021 at 09:33)</a>:</h4>
<p>The users forum has more information on using cargo config to replace the default <a href="http://crates.io">crates.io</a> source: <a href="https://users.rust-lang.org/t/dependency-confusion-attack-may-be-applicable-to-alternative-registries/55389/5">Dependency confusion attack — may be applicable to alternative registries</a>.</p>
<p>This may help prevent accidentally using <a href="http://crates.io">crates.io</a>.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>